Some time has passed since the GDPR regulations came into effect, and following the flurry of e-mails asking for contact consent and informing people of changes to privacy policies flooding peoples’ inboxes, now would be a good time to revisit the ways in which these vital changes to personal data processing have affected the recruitment process and in how both companies and consultancies must handle their obligations in order to maintain compliance and harness a culture of transparency in their actions.

While I previously focused on how recruiters should approach contacting potential candidates, including detailing the essential provisions such as updating privacy policies in allegiance with these contact requests, this article will focus on putting both compliant processes and the values as presented in the privacy policy into action. First, we’ll examine handling the entry of a candidate into the recruitment process following initial engagement, followed by a look at how to make the necessary transparency for compliance work as an asset rather than a hamstringing control.

When a consultant has found a candidate and is looking to submit them into the consideration process for a role, we must endeavour to ensure that each step of the process is outlined clearly, with consent sought as candidates move through these steps. This is particularly important in instances where another data controller is added. Furthermore, it is imperative that this consent be explicit and in writing. As part of this consent, the candidate must know how their data is being collected, stored, and used, this information is normally part of a company’s privacy policy which should be easily accessible.

Another aspect that is crucial is that the information provided by the candidate is both sufficient and not unnecessarily revelatory. An example of this would be in the submission of a CV to a hiring manager on behalf of the candidate. Quite often, a candidate’s CV would have to be edited, either to clear up some potential formatting issues or to add in additional details as illuminated during contact with the candidates that may draw a bigger parallel with the role than the base document would suggest. In some instances, candidate CVs can contain unnecessary personal details, such as their home address, phone numbers, personal e-mail addresses, and in some cases, even those with PPS and Passport numbers have crossed my desk. In such cases, it is vital that the recruiter edit this information and indeed any information that is not relevant to the application or would be necessary for the process at whatever stage it is at. Any editing, of course, must be approved of by the candidate, even an act of censure.

At each stage, we must keep candidates informed as to how their information is being controlled and reviewed. As with anyone with initial contact practices, it must be very easy for a candidate to withdraw themselves from the process for whatever reason, and as part of that, it must also be easy for all information pertaining to the candidate’s application be similarly expunged at all stages of processing. The retention of this information, for candidates successful and unsuccessful, must also be clearly outlined and time specific and subject to expiration and deletion. One must also ensure that the candidate is fully aware of how that information will be accessed and, particularly, for what purposes.

Being GDPR compliant is not a once-off flurry of activity, we should note. Rather, it is imperative that all those who handle personal data not only monitor and enforce their own obligations, but also ensure that all those connected with the process, be that clients or even ATS providers, ensure that they are compliant on a time-dynamic basis, ensuring that all those concerned know their partnering policies and processes for data retention, processing, and deletion, including noting how easily accessible this information would be to your candidates. Similarly, due diligence must be done on prospective partners or service providers involved in the data handling process. This is especially pertinent with non-EU based groups, which would also require the drafting and signing of a data processing agreement duly binding them to GDPR-compliant policies and processes.

This kind of multi-agent transparency is vital in a time of the informed candidate. While many a meme grew from the onslaught of privacy policy update e-mails at the end of May, it did at least remind people en masse as to the arrival of the tighter regulations and, in turn, many opted to look into the changes and what they would mean for them, not to mention those whose purview in their own jobs involved implementing said changes on a wider company scale.

In essence, a higher standard is expected of personal data processors, especially in recruitment. The days of keeping a candidate in your back pocket or having an ad-hoc attitude to privacy are gone, replaced by an opportunity to make the process altogether more personal in terms of interaction and in tailoring services provided to both candidate and client. However, it is important to note that while GDPR is very much here to stay and regulatory obligations are being adhered to as of the May 25th deadline, the intricacies of how businesses interpret and correspondingly fettle their approaches, processes, and policy documentation will be an ongoing process in the coming months and, indeed, years. This and any period of refinement is ultimately a positive thing, as it allows said business to harness the positives brought about by GDPR whilst not compromising on their service standards. Both during and following this period, through harbouring a culture and attitude of transparency of operations and respect towards the candidate, we can hope to strengthen the relationships we build in our operations, and in doing so re-establish what an engaged and dutiful recruitment consultant can really do.